By annulling a transatlantic agreement that regulates the transfer of data between the U.S. and Europe, Europe’s judges have in one swoop sent executives on both continents scrambling for legal advice and aspirin.

What’s more, the ruling could dramatically redraw the balance of power among European privacy regulators.

Here are five takeaways:

1. The European Commission defended the indefensible

The judgment is a blow for the European Commission’s credibility.

It stuck by the existing “safe harbor” agreement even after Edward Snowden’s revelations about America’s mass surveillance program. Europe’s top judges criticized the Commission for signing the pact in 2000, let alone for sticking by it.

Not even the Commission’s usual allies agreed with its position. Martin Weber, leader of the center-right European People’s Party, declared after the judgment that he had “repeatedly demanded during the past years to cancel this agreement.”

Frans Timmermans, the Commission vice-president, blamed the existing strategy on the previous Commission.

Věra Jourová, the European commissioner for justice, declined Tuesday to set out a timeline to negotiate a “safer safe harbor” agreement, but she said the ECJ’s verdict would strengthen the Commission’s hand in those talks.

Regardless, the Commission may struggle to defend any deal it eventually strikes before members of the European Parliament and some member states.

2. National data protection authorities take power

The clear beneficiaries of the ruling are the newly empowered and ever-ambitious national data protection authorities. That is if you consider a huge increase in workload a benefit.

“This ruling establishes that independent data protection authorities are a key player in ensuring high protection for those rights,” crowed the Spanish authority. Five years ago, it championed the right of a Spanish citizen to erase certain links from Google’s search results and won the “right to be forgotten” from the EU court.

In the absence of a safe harbor agreement, companies seeking to transfer data across the Atlantic will need the approval of their local privacy bodies.

Corporate lawyers are now waiting with baited breath to see whether the increasingly assertive privacy bodies will come up with a joint approach, or create a jig-saw puzzle of procedures.

Tuesday’s judgment may not be to the liking of all national regulators. Ireland’s data protection authority resisted the complaint against Facebook. That position was perhaps not disinterested: Ireland has made itself the European base for the world’s largest tech firms.

The Irish data protection commissioner, Helen Dixon, said she welcomed the court’s clarification of national regulators’ responsibilities.

3. Data firms need guidance, fast

The ruling is a blow for the roughly 4,400 U.S. companies that rely on the safe harbor agreement when handling data, according to Wim Nauwelaerts, a privacy lawyer with Hunton & Williams in Brussels.

Many were woefully unprepared. POLITICO called some 20 companies dealing with data on Monday and many knew nothing about the impending verdict. They will now.

AmCham EU, which represents American companies in Europe, expressed concern that the judgment could “compromise the EU economic recovery and negatively impact the Commission’s goal to create a digital single market.”

DigitalEurope, representing technology industries, said the ruling created a “legal vacuum.”

Reacting to the ruling, the Commission stressed that data transfers between the U.S. and Europe can continue on the basis of other legal mechanisms.

A lot rides on what steps the Commission and national data protection supervisors take in response. “It is crucial for legal certainty that the EC sends a clear signal,” said Nauwelaerts.

That could involve providing a timeline for concluding an agreement with U.S. authorities, together with a commitment from national data protection authorities not to block data transfers while negotiations are on-going, he explained.

4. Europe’s top court is now the darling of civil libertarians

The ruling is a victory for civil liberty campaigners.

After Snowden revealed the extent of U.S. online surveillance, the Commission criticized U.S. conduct but left the safe harbor pact unchanged. Pro-privacy MEPs have been unable to ram tough reforms into the draft data protection regulation.

For a while it looked like advocates would have to rely on petitioning the Commission, under a new procedure introduced in 2012.

Max Schrems, an Austrian law student, beat them to it. He first voiced his concerns about Facebook and the safe harbor agreement to the Irish privacy agency in June 2013.

“After last year’s data retention ruling, this is the second time in two years that the Court of Justice has struck down an instrument that the European Commission had spent years defending,” said Joe McNamee, executive director of European Digital Rights, a lobby group.

The speed and decisiveness of that ruling from Europe’s judges casts an unfavorable light on the Commission’s efforts to guarantee a higher standard of protection for Europeans online – and not for the first time.

5. A boon for European cloud industry

Striking down the safe harbor relied on by U.S. firms will boost business for Europe’s data storage providers.

“One possible effect will be that European cloud providers will be better positioned to offer and sell their services in competition to the U.S. service providers,” said Alexander Dix, the privacy commissioner for the State of Berlin. That could lead to more technology jobs and investment in Europe.

However, some companies could simply reorganize their resources and processes. Facebook has already done this.

The windfall for Europe’s cloud storage industry will become clear in the coming days as regulators and lawmakers make critical decisions about how to respond to the ECJ verdict.

This was first published on POLITICO Pro.

This article has been corrected to clarify the context of McNamee’s comments.